Email a friend

To

From

Thank you

Sorry

When it comes to security, who’s in charge, where do roles and responsibilities overlap, and what are the biggest challenges to aligning infosec and business goals? A joint CSO, CIO, Computerworld survey sheds some light.

If you sense some discontent in how information security is handled in your company, you're not alone. Half of the 287 U.S.-based IT and business professionals who responded to a recent survey from CSO and its sister sites CIO and Computerworld gave their organizations' security practices a grade of C or below.

Contributing to the low scores is a familiar push and pull: Security is under increased scrutiny from the highest levels of the organization, while IT and security staffs and budgets are stretched to their limits.

But there may be something else at work here as well. As anyone who's been branded teacher's pet knows, getting good grades can have unintended consequences. In this case, being too confident in your security practices could draw unwanted attention from hackers, Wells Fargo CISO Rich Baich told CSO.

Maybe the state of security isn't so bad after all? Read on to see what IT and business professionals really think about how their organizations handle infosec.

A majority of survey respondents (65 percent) said that senior business management is focusing more attention on information security this year than in prior years, and 77 percent of respondents said that they expect management to be more focused on infosec in the next 1 to 3 years.

The reason for this increased attention? The C-Suite is on the hot seat for security. “In the past, a CEO could simply have faith in the efforts of security professionals in the company," Joel Gibbons, director of IT and compliance at National FFA, told CSO. "Now, the CEO needs to know more to be able to answer specific questions about how we are securing whatever needs securing inside the organization’s perimeter.”

For 57 percent of survey respondents who note an increased focus on security, concern that their organizations will experience a breach or other security incident is among the main drivers. The reality is that “it is only a matter of time before someone finds an access point that we’ve missed,” Gibbons said. “That’s just the nature of the game these days.”

Having a dedicated infosec team is a luxury that many companies can’t afford—more than half of our survey respondents said the IT department is in charge of information security at their organization.

What happens when IT is in charge of security? For one, it means that the CIO is on the hook for security incidents. Seventy percent of survey respondents said that the CIO or head of IT will be held responsible if a data breach happens at their organization.

But for IT organizations that are also in charge of security, it is a "daily balancing act," said National FFA's Gibbons. "In a small organization, I can’t always afford to let my security folks focus solely on security. There are always other things they need to do. That can have a negative impact on security. Or, it can have a negative impact on any other things they aren’t doing because security efforts take so much of their time."

The balancing act described by Gibbons is starkly reflected in the survey results. Among the respondents who said that IT is primarily responsible for infosec, an average of 20 percent of IT's time and 15 percent of IT's budget are devoted to security-related efforts.

“Security ends up being sliced up and doled out to 10% of several people’s jobs," Brendan O’Malley, a serial CIO at midsize firms and now a consultant, told CIO. As a result, he says, "it’s very tough to make progress or to stay on top of it the way you have to.”

For many organizations, particularly small and midsize companies, outsourcing security is the only way to compensate for not having a dedicated infosec team.

Recall O’Malley’s description of a security function that is “sliced up and doled out." While spreading security responsibility around gets the tasks done, it also opens a firm up to risk. “You absolutely need to have some kind of outside support,” explained O’Malley.

Blackhawk Community Credit Union, whose 8-person IT staff handles IT and security for its 150 users, takes the following approach to working with consultants and MSSPs, Richard Borden, vice president of IT, told CIO:

The credit union handles strategy and policy planning

Consultants are brought in for specialized functions

An MSSP is used for “meat and potatoes” security functions

This approach is likely familiar to those of you who use outside consultants or MSSPs to assist with infosec, and it is borne out in the survey results: penetration testing, spam filtering and threat intelligence were the top three security functions outsourced to third parties.

Even in organizations where there are dedicated infosec teams, there is a great deal of overlap in responsibilities. A whopping 70 percent of respondents at such organizations said IT and infosec overlap when it comes to managing infrastructure and systems vulnerabilities.

This apparent confusion over who does what may be an alignment problem between infosec and IT. Among those survey respondents who said they have dedicated infosec teams, 15 percent said that infosec strategy and IT strategy aren’t integrated at all in their organizations, while 54 percent said they were somewhat integrated. Only 31 percent said they were closely aligned and well integrated.

But that is changing … for the better. Fifty-nine percent of respondents from organizations with dedicated infosec teams said that in three years infosec strategy and IT strategy will be closely aligned and well integrated.

The top three challenges survey respondents said their organizations face when it comes to aligning security aims and business needs are justifying costs, defining risks and dividing up responsibility.

But as intractable as those challenges may seem, achieving alignment may be largely a matter of communication.

“When you can articulate a risk that the business and board of directors agree with, then you can come up with a plan to mitigate and manage that risk,” including additional funding and resources, Michael Eisenberg, vice president in the Office of the CISO at cyber security solutions provider Optiv, told CSO.

For Wells Fargo, improving communication with the bank's executives started with a realignment of the security hierarchy. Rich Baich, who became the bank's first CISO in 2012, began reporting to the chief risk officer in January 2015. “[The new hierarchy] allowed us to effectively create a communication channel that helped people understand the language of security, the importance of security, how it fits into the larger, overall risk management construct," Baich told CSO.

Yet another balancing act comes into play when companies consider how frequently to change their security policies. More than half of survey respondents said their organization has had its current infosec management model in place for three years or more.

And yet, as Beth Stackpole points out in her Computerworld article, organizations must frequently update their security procedures to stay on top of a fast-shifting threat landscape. The challenge lies in finding that sweet spot between keeping polices up-to-date and frustrating users to the point where they revolt, Forrester analyst Kelley Mak told Computerworld.

“It’s not as simple as taking the data and making a new policy, because you have to make sure information workers aren’t upset,” he explains. “The more restrictions you put in place, the more likely someone is to go around it.”

Exactly half of survey respondents said their organization is considering making a change to its infosec management model. Among those organizations considering a change, 78 percent cite concerns about breaches and data loss as a top factor.

With the seemingly constant stream of new threats, how do organizations that have had an infosec model in place for several years keep their security policies relevant?

The Bank of Labor takes a methodical approach to updating its formal policies, but is quick to tweak procedures in response to threats.“The purpose of our policies is to be at a high level, not to cover every eventuality out there,” Shaun Miller, the bank’s information security officer, told Computerworld. “We update procedures for tactical, day-to-day stuff, but when it comes to our strategic direction on security going forward, we change our policies in a limited fashion so as to not overwhelm users.”

As an example, the bank recently blocked Flash, a move that Miller said the firm doesn’t consider a change to policy. “Our board of directors approves policy and they don’t know what Flash is or what it does. It’s just an example of a simple, day-to-day business response to threats as needed.”